Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
vpn on 1600
- Thread starter gwu
- Start date
Take a look at the following example created by cisco configmaker.....if it works here then it looks like it is possible.....only can use des and not 3des encryption though.
!
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname RouterA
!
enable password 123
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key mysharedkey address 196.100.40.20
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
crypto map cm-cryptomap local-address Serial 0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 196.100.40.20
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface Ethernet 0
no shutdown
description connected to LANA
ip address 172.23.16.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Ethernet 1
no description
no ip address
shutdown
!
interface Serial 0
no shutdown
description connected to Internet
crypto map cm-cryptomap
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address 60.40.50.21 255.255.255.248
ip nat outside
no ip route-cache
encapsulation ppp
!
!
access-list 100 permit ip 172.23.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 172.23.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 172.23.16.0 0.0.0.255 any
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Serial 0 overload
!
router rip
version 2
network 172.23.0.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password 123
login
!
line vty 0 4
password 123
login
!
end
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname RouterB
!
enable password 456
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key mysharedkey address 60.40.50.21
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
crypto map cm-cryptomap local-address Serial 0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 60.40.50.21
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface Ethernet 0
no shutdown
description connected to LANB
ip address 192.168.1.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Ethernet 1
no description
no ip address
shutdown
!
interface Serial 0
no shutdown
description connected to Internet
crypto map cm-cryptomap
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address 196.100.40.20 255.255.255.248
ip nat outside
no ip route-cache
encapsulation ppp
!
!
Access-list 100 permit ip 192.168.1.0 0.0.0.255 172.23.16.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.23.16.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 102 interface Serial 0 overload
!
router rip
version 2
network 192.168.1.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password 456
login
!
line vty 0 4
password 456
login
!
end
!
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname RouterA
!
enable password 123
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key mysharedkey address 196.100.40.20
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
crypto map cm-cryptomap local-address Serial 0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 196.100.40.20
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface Ethernet 0
no shutdown
description connected to LANA
ip address 172.23.16.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Ethernet 1
no description
no ip address
shutdown
!
interface Serial 0
no shutdown
description connected to Internet
crypto map cm-cryptomap
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address 60.40.50.21 255.255.255.248
ip nat outside
no ip route-cache
encapsulation ppp
!
!
access-list 100 permit ip 172.23.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 172.23.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 172.23.16.0 0.0.0.255 any
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Serial 0 overload
!
router rip
version 2
network 172.23.0.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password 123
login
!
line vty 0 4
password 123
login
!
end
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname RouterB
!
enable password 456
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key mysharedkey address 60.40.50.21
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
crypto map cm-cryptomap local-address Serial 0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 60.40.50.21
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface Ethernet 0
no shutdown
description connected to LANB
ip address 192.168.1.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Ethernet 1
no description
no ip address
shutdown
!
interface Serial 0
no shutdown
description connected to Internet
crypto map cm-cryptomap
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address 196.100.40.20 255.255.255.248
ip nat outside
no ip route-cache
encapsulation ppp
!
!
Access-list 100 permit ip 192.168.1.0 0.0.0.255 172.23.16.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.23.16.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 102 interface Serial 0 overload
!
router rip
version 2
network 192.168.1.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password 456
login
!
line vty 0 4
password 456
login
!
end
- Thread starter
- #4
- Thread starter
- #6
Feature set has to be loaded on the router for it to work.......IOS image on router may not support it so therefore is not listed. I have a 1750 myself and know for a fact that it is supported with the right IOS. Just need a different IOS for router.
- Thread starter
- #9
How can I upgrade the ios? Do I have to buy it from Cisco?
I looked on ebay for a 1700 series router. I saw one that had a VPN module. What is that hardware for? Is that neccessary?
If I buy a new router(or used from ebay), how can I tell if the ios has built in VPN support? Is it a matter of looking at the running config?
thanks
I looked on ebay for a 1700 series router. I saw one that had a VPN module. What is that hardware for? Is that neccessary?
If I buy a new router(or used from ebay), how can I tell if the ios has built in VPN support? Is it a matter of looking at the running config?
thanks
If a router has a VPN module then the encryption/decryption process is done in hardware, using the VPN module. If no module is present then the encryption/decryption process is done in software, using the router's cpu to accomplish this task.
IOS images supporting IPSec 3DES normally has "k9" as part of the IOS image name, ie: c1700-k9sy-mz.122-28.bin
As you can see, the part -k9sy- indicates it supports IPSec 3DES because it has the "k9" keyword as part of the IOS image name. Like joamon explained, the IOS running on the router can be gathered using the show version command.
IOS images supporting IPSec 3DES normally has "k9" as part of the IOS image name, ie: c1700-k9sy-mz.122-28.bin
As you can see, the part -k9sy- indicates it supports IPSec 3DES because it has the "k9" keyword as part of the IOS image name. Like joamon explained, the IOS running on the router can be gathered using the show version command.
- Thread starter
- #13
1)The network behind our current firewall is a private subnet snat'd to a pubic internet address. If i am putting this behind this firewall than I really only need one FastEthernet port; I dont need any WIC cards or secondary FastEthernet port...there will be very little traffic. The VPN will be connected to a small network behind a checkpoint VPN/Firewall box across the Internet. Is this correct?
2) Is a 1700 series the way to go for this VPN solution or is it better to go with a PIX or some other brand?
thanks
2) Is a 1700 series the way to go for this VPN solution or is it better to go with a PIX or some other brand?
thanks
- Status
Similar threads
- Locked
- Question
